[Haskell-cafe] Fwd: Fwd: Compatibility etiquette for apps, with cabal sandboxes and `stack`

Michael Orlitzky michael at orlitzky.com
Mon Nov 30 15:47:16 UTC 2015

On 11/30/2015 03:59 AM, Joachim Durchholz wrote:
> Am 30.11.2015 um 00:24 schrieb Michael Orlitzky:
>> GHC does dynamic linking now, but I'm OK with static linking as long as
>> it's tracked. The end result is the same as if you had dynamic linking,
>> only with a lot more wasted space and rebuilds/reinstalls.
> Well, the idea was to use static linking to keep the libraries 
> themselves outside the view of the package manager. I.e. the libraries 
> aren't tracked inside the package manager, they become part of your 
> upstream.

I get the idea, but it doesn't work in general. To use a cheesy example,
what if OpenSSL was statically linked into everything when heartbleed
was announced? If the static linking goes untracked, how do you fix it?
You need to rebuild everything that was linked against OpenSSL, but how
do you find those packages and rebuild them? Can you explain your answer
to a typical "Windows Update" user?

Less-serious vulnerabilities pop up every day and require the same
attention, so whatever solution you come up with needs to be fast and

> I do wonder about the "a lot more wasted space" bit.
> How much space are we really talking about?

Compiled programs aren't too bad. If you pull in a ton of libraries, you
might get 50MB overhead for a huge program. But if you go full retard
like NodeJS and bundle recursively, you can find yourself pulling in
500MB of dependencies for helloworld.js.

That's not anyone's main objection though. If we could fix dependencies
by wasting disk space everyone would be on board.

More information about the Haskell-Cafe mailing list